How "injection" by your ISP works?

How "injection" by your ISP works?

I'm curious on how this shit works after testing to my own website that intentionally don't use "Force HTTPS" feature for research purpose. The site was evilfactorylabs RNDC, even you are using DNSCrypt, this ISP still injecting the script on my web!

Something I don't understand that while I'm using Tor Browser to access my web even in HTTP protocol, they can't inject it.

What ISP did (HELLO INDIEHOME) today was evil, unethical, for whatever reason they had. I've paid some IDR to them, so what? Tracing what I did with your internet service to make sure I'm not doing something bad?

Let's see how they did it. First of all I need to capture my request so I know where is the start line.

Basically to communicate between computers we are using TCP protocol, and HTTP are layer on top of it. 192.168.1.7 was my IP Address and 104.18.34.80 was Cloudflare IP used by Netlify to serve my web. The communication was only between 2 computers (mine and CF's), I need to know what packet are sents to my IP between the ??? part.

But first off all, lets do some cURL thing.

As I know, "left intact" in cURL means the server was still open for next request (the keep-alive thing). So, if you try to request some URL and your server are provide keep-alive, your request will use the same TCP connection from before.

There is no connection between the injected script and "left intact" from image in previous, since ISP was injecting before the closing body tag.

This thing was just to looking the source of problem.

Looking for rabbit hole

Based on what we did previously, we got some clues:

  • Inject are done in TCP-level (I believe).
  • They has un-closed TCP port that always listening
  • They only inject on HTTP request since the data is not encrypted

This is when I use HTTPS protocol to access my web:

And all data are encrypted, including host header, status code header, content-type header, etc. Because AFAIK they only inject to:

  • Webpage with HTTP protocol (obviously)
  • Webpage with status code 200
  • Webpage with content-type text/html

This when I try to access a page with 404 status code

OK now where is the rabbit hole?

This is when I open Firefox without single tab opened and in safe mode.

See that telkom thing?

And look at tor.real thing, its only open to init7 which is a "relay" for my tor connection. Tor only open for that tcp connection even I'm opening 6 tabs, including the HTTP ones.

I don't know why does (or which HTTP connection?) was used by my Firefox, but whatever, just use TOR broww.

Now, let's dive deeper.

Remember how internet works? My mean, what happen when we try to access http://something.com? In case you forgot it, this is the quick preview when I try to access HTTP-based web.

First, we do some DNS Lookup. My ISP use transparent proxy, so they can take a look to which website I try to visit. This is a different problem.

To solve this, I use DNSCrypt. So the DNS query thing was encrypted.

Second, ISP maybe doesn't know which website I try to visit, but they has "always listening" tcp connection on my browser.

OK probably they don't "always listening forever" but I don't know the exact time when Firefox will close that connection.

So they can know which website you try to visit based on your HTTP connection. This is the root of problem.

Last, once you use their internet services, you cannot opt-out from this.

If you have question "why does my ISP block X", that was DNS query-level thing.

If you have question "why does my ISP inject some script", that was TCP-level thing.

Quick Preview

I will give you some preview how this shit works.

Blocking site

The first command from image above was without using DOH, and the second ones was. If you do some whois, from IP 180.252.3.17 to below was owned by Telkom.

This how they can block your favorite website. You query to their DNS server (I believe).

The first one was using DOH and the second one was not.

Injecting script

I don't know the exact answer for this, there are 2 possible option for this:

  1. They inject the TCP data which is very hard I think. I'm assumed this is done in Router-level.
  2. They have a reverse proxy so you got the injected data from the original ones. This option looks like what email obfuscation in Cloudflare and Script inject in Netlify works

And what they did I think was a theft. They modify our own data without our direct permission, no matters are you a site owner or just a visitor.

They are truly a BlackHat Hacker.

But their activities are legal. Seriously.

How to solve this?

There are 3 solutions sorted by effort.

First, don't use their service. Very easy.

Second, use DOH–(DNS Over HTTPS) my favorite ones was DNSCrypt–and don't access a website with HTTP protocol. Medium effort.

Third, use TOR browser. Either you are visiting HTTP-based website or doesn't use DOH, your connection will (at least) remain secured.

Because you cannot stop them unless you have a great/rational opinion, and some bravery. Obviously.

Summary

If you are site owner, please use HTTPS protocol for your website. You can use Let's Encrypt for free (Thank them!), or you can use Cloudflare flexible SSL if you want.

By using HTTPS, you help your users/visitors to keep safe.

If you are user, please use DOH. Or even Tor Browser. VPN won't helps you 100% to keep you safe, since you have zero trust to them.

DOH only to encrypt your dns query, the bad guy (including from your ISP) still can intercept your TCP connection data.

I understand their effort to keep internet healthy by blocking porn, gambling, and phising site. But it has a cost, and very expensive. What about if you all just "educate" internet users in Indonesia in using internet with "the good" way.

Until we realize, this was only "man behind the gun" problem. The "semua kembali pada diri kita masing-masing" things.

Enjoy the cost on censoring some websites in Indonesia.

You cannot prevent someone to kill with his gun just by taking his gun or everything he had.

All you need is to educate him.

Because he still has a hand & foot, and kills anyone with it every time he want.

Enjoy the cost on censoring some websites in Indonesia.

This is what they collecting you beside displaying you the ads.

- id=1
- enc=9UwkxLgY9
- params=4TtHaUQnUEiP6K%2fc5C582Am8lISurprAwDxFE7yB9jPMfr0bKzZzBH%2b0PXfCLz4umKWMrKnJt1eddjJSSEdwDDxBx2AGQ0sAs5QBIvkODSj5lcwN2hpewF3NK8wh1a1Lq5wVxuKcMJIKF2Va3R4SMXpwY0H4%2bPUXMcggssAN8TWNe%2f66hGBm0UV9o2dW3BYYXrYCaOcudQUa5tRFrB%2fnKh4PJ0KnW3MtyKtEUhkEAVKX%2f%2ftw9S%2btpN4ReqqkK%2b8DMrlqe%2bfoqcDqEZTHZft1cvxwhKL2kn6syRcip3y9CnFaeTyykC0oSC7jn0RrPhK01lq%2bFIgimSphqOmMEoQc7ktun6UMM5CMsmSWu3Mv7jV0gBRaaAgitMTkBqLXC4I97hUJ26vf5nVgr3FAeXnpXHxKEtnr6yUUH7uXqFM3k%2bdiHyhfAWx2tlWzWpWhnFpUJ6GObqLjalMUGTD0T9XTX9aqUBKal%2bnygOCCX4V9OlIaapgjdvDwxFsRJIl47hfpd2xcLzX8CwmNsVKX%2bFZhtQ%3d%3d
- idc_r=37714844107
- domain=rndc.evilfactory.id
- sw=1440 (screen width)
- sh=900 (screen height)

params are encrypted, but you can can try it with decodeURIComponent + atob on it (and take a look to enc things).

You can see the prettied format of their injection script here.

End.

This is an illegal thing. They do some "computation" on "your computer" without your direct permission.

Also, they spy on you.

On every website you try to visit.

For the sake of healthy internet.

Or profit?

For nerd only